Selfmade policy not getting enforced on Fedora9

[Eric Paris]

On Wed, 2008-05-28 at 20:18 +0200, Stefan Schleifer wrote:
> Hey guys,
> 
> As you might guess, I've a problem with my SELinux-policy under Fedora  
> 9.
> 
> I created a little test application 'demo' which reads some text from  
> stdin and writes it in a config file /etc/hackbar/config.txt.
> 
> Afterwarts, I developed a policy with types demo_t, demo_exec_t und  
> demo_etc_t and allowed demo_exec_to to read/write demo_etc_t.  
> Everything's fine.
> 
> For testing purposes I changed /etc/hackbar/config.txt to type etc_t  
> which demo_exec_t shouldn't be able to access as there doesn't exist  
> an allow demo_exec_t r/w etc_t.
> 
> 
> [stefan at localhost policy]$ ls -Z /usr/local/bin/demo
> -rwsr-sr-x   root   root   system_u:object_r:demo_exec_t:s0 /usr/local/ 
> bin/demo
> [stefan at localhost policy]$ ls -Z /etc/hackbar/config.txt
> -rwxr-xr-x   root   root   system_u:object_r:etc_t:s0 /etc/hackbar/ 
> config.txt
> 
> 
> Again I ran the application but it is still allowed to change that  
> file?!
> 
> 
> [stefan at localhost policy]$ /usr/local/bin/demo
> Enter text: foobar
> Read from file: foobar
> 
> 
> Regarding to standard UNIX permissions access should be granted as the  
> demo-app has suid set, but shouldn't SELinux permitt access anyway in  
> this case?
> 
> SELinux is in enforcing mode.
> 
> 
> [stefan at localhost policy]$ /usr/sbin/sestatus
> SELinux status:			enabled
> SELinuxfs mount:			/selinux
> Current mode:			enforcing
> Mode from config file:		enforcing
> Policy version:			22
> Policy from config file:		targeted
> 
> 
> I'm rather confused...

Are you sure you have the right transition rule from whatever you shell
runs as ?unconfined_t? to demo_t if you run a demo_exec_t binary?  What
to you see from ps -efZ | grep demo while your program is running??

-Eric